Security fixes are prepared for the latest tagged release and the main branch.

Report suspected vulnerabilities to info@makepay.io with enough detail to reproduce the issue. Please avoid public disclosure until the MakePay team has confirmed impact and prepared a fix.

• Never ship MakePay credentials in Unreal source, config, Blueprints, pak files, or save data.
• Create checkout sessions through your own backend.
• Verify MakePay webhooks on the backend before granting durable entitlements.
• Treat return links as untrusted client-side UI hints.
• Bind ExternalId to an authenticated player/order/entitlement record on the backend.